Today is patch Tuesday for September 2020, and amongst the updates released today are security fixes for Exchange 2016 and Exchange 2019.
More specifically, the fix is only available for the versions of Exchange 2016 and 2019 that are open for servicing. This means that only the latest CUs can be serviced, and if you are running on an outdated CU then there is not way that you can receive these security fixes for that old CU.
In such cases, you must update to a CU where the security fix is available.
Please see KB 4577352 for details of the release and a link to the MSRC.
These Exchange 2016 and 2019 security releases include all previous security fixes for the relevant product. Subsequent Cumulative Updates will included these security fixes.
This vulnerability is not applicable to Exchange 2010 or Exchange 2013.
Cheers,
Rhoderick
